Showing results for 
Show  only  | Search instead for 
Did you mean: 

Thunderbird email hack using Sabre/Dav

Making moves

I am using the Thunderbird mail program for some time and overall have been happy until tonight. I am not a programmer, but do have a good understanding of what is happening on my system.  I have built my own computers for a very long time, have my own server, and other things... playing with computers for probably the past 50+ years. I owned the HP-35 of about 1973, recall the SCAMP and the Altair systems.

Anyway, some hacker is using a Sabre/DAV program to modify the Thunderbird mail program as I found out tonight with a threat and extortion attempt, wanting me to pay via bitcoin.  This Sabre/Dav program that I am not familiar with is some kind of PHP program. This hacker was able to install his address:  https:// (youremail). com or what ever you use, using port 8443 (SabreDav).  What ever mail activity being used is sent thru  this port to him.  All mails and what you are doing.

It is installed on Thunderbird under: Account Settings for the specific mail program> Thunderbird Settings>Privacy and Security>Passwords>Saved Passwords.

When you access this area you will see where  the hack was installed. For example, it might look like:   It is not any imap or smtp, or mail account.  I am sure there are some other mods but I have not found anymore so far.  I have deleted this "add-on" account, and also disabled the listening port he/she was using, both in-bound and out-bound.

I have notified friends and family of the hack and the threats and extortion attempt.  Personally so long as my external accounts are protected, i do not give a moose .... I am nearly 70 years old and at this age I do not think he can hurt me very much.  I have been changing my email accounts and passwords to be safe.  He also claims to have access to my web cam, my chats, messenger, microphone, etc...  The funny thing is I have NO social media, I have NO cam on my computer, I have NO microphone on my system, No messenger, etc....  for the simple reason is due to people like this, and I like my privacy.  Google, Ymail, and the rest are a privacy risks... so you can see he is bluffing at this part.  I will not know the extent of the damage until later on since I have refused to pay him via bitcoin.

I am hoping some programmer at Thunderbird can figure out how he/she did this and fix it; prevent this from happening to others.... and I would appreciate some feedback on what I may have  missed, and how he/she did this.  I have an alternate account and you can reach me at:




Making moves

Apparently port 8443 is used for Calendar and this is how he gained access to Thunderbird and my email accounts.  I do not use this Calendar program.  I am still hoping the Thunderbird Staff can fix this hole in the program.

Making moves

I know it's probably a bit late now, but do you have any screenshots of the threats requesting bitcoin and of the website?

I looked up sabre/dav and it seems to be a server for CalDAV which is what you use for syncing calendars and contacts, but it could possible that someone modified it to be malicious, or just using it as a backend to send your emails to.


I don't work for Thunderbird, I'm just curious about this.